# Virtual TPM

This guide outlines the implementation and configuration requirements for Virtual Trusted Platform Module (vTPM) v2.0 support in <code class="expression">space.vars.product\_name</code>. The solution leverages open source Barbican service for encryption management. Virtual TPM service enables TPM support on <code class="expression">space.vars.product\_name</code> hypervisor hosts.

## Image Preparation and Configuration

The Virtual TPM configuration is controlled through **metadata that can be applied at the virtual machine image level**.

When you add TPM metadata to an image, any VM created using the image will automatically enable vTPM with the specified configuration. The metadata parameters control:

* The TPM version (1.2 or 2.0)
* The TPM model type (`tpm-tis` or `tpm-crb`)

You can apply these configurations by adding metadata to the image as below:

#### Image-level Properties

Following is the TPM metadata that you need to associate with a virtual machine image in order to enable vTPM for the VMs created with the image.

{% tabs %}
{% tab title="YAML" %}

```yaml
hw_tpm_version = 2.0
hw_tpm_model = tpm-crb
```

{% endtab %}
{% endtabs %}

For example, you might start with a standard Windows image without TPM support and later add TPM 2.0 support by updating the image metadata. Any new VMs created from this image will have TPM 2.0 enabled, while existing VMs remain unchanged.

## VM Deployment and Verification

1. Create a VM with vTPM support through the <code class="expression">space.vars.product\_name</code> UI
2. Make sure that the VM reaches "Active" state
3. Perform TPM verification:

#### For Windows VMs

{% tabs %}
{% tab title="YAML" %}

```yaml
1. Press Windows key + R
2. Execute tpm.msc
```

{% endtab %}
{% endtabs %}

#### For Linux VMs:

{% tabs %}
{% tab title="YAML" %}

```yaml
ls /dev | grep tpm    # Should show TPM device
```

{% endtab %}
{% endtabs %}

#### General TPM Verification:

{% tabs %}
{% tab title="YAML" %}

```yaml
# List running VMs
virsh list

# Verify TPM configuration
virsh dumpxml <VM_ID>
```

{% endtab %}
{% endtabs %}

Expected TPM configuration in XML:

{% tabs %}
{% tab title="YAML" %}

```yaml
<tpm model='tpm-crb'>
  <backend type='emulator' version='2.0'>
    <encryption secret='<secret>'/>
  </backend>
  <alias name='tpm0'/>
</tpm>
```

{% endtab %}
{% endtabs %}

## Secret Management Verification

Run the following command to make sure that the secrets got created successfully:

{% tabs %}
{% tab title="YAML" %}

```yaml
openstack secret list
```

{% endtab %}
{% endtabs %}

Each VM with TPM should have a corresponding secret entry.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/private-cloud-director/2025.2/virtualized-clusters/virtual-tpm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.